We’ve recently experienced a series of attacks conducted by malicious Tor exit node operators.
This only affects users who input the clearnet domain (localmonero.co or agoradesk.com) without prefixing it with “https://” into their Tor browser address field. This does not affect people who access the clearnet domains through a non-Tor connection or use the onion domains localmonerogt7be.onion or agoradeska6jfxpf.onion
The attacker inserts themselves in-between the user and our servers and serves their own version of the website that steals your credentials upon login.
The reason they are able to do this is because when people enter “localmonero.co” into their Tor browser address bar they do not specify “https://” in the beginning, leading the browser to first request an unencrypted version of the site. The attacker intercepts the request and prevents our servers from serving the usual automatic redirect to HTTPS. Instead, the attacker serves the user their own version of the website over HTTP and the unsuspecting user logs in to the attacker’s page and compromises their account.
If you have at any point in the past accessed our services through inputting the clearnet domain in the Tor browser, please login using the onion domain or clearnet domain on a non-Tor connection and change your password immediately for your own security. If you use that login/pass combination anywhere else, you need to change your passwords on all websites where you use that login/pass combo, as it can now be considered compromised.
In order to mitigate this attack in the long run we’ve already submitted a ruleset for HTTPS Everywhere, which was already merged into the master code, that will automatically rewrite http to https for LocalMonero and AgoraDesk before the request is even sent, however, it will take some time before this is deployed to the Tor browser distribution and all the users update their Tor browser software. In the short run, the only way to mitigate this is to inform people about it as much possible to minimize the bleeding.
The attacks on our services are not unique, as this seems to be an ongoing situation in the crypto services sphere. Frankly, it’s very unfortunate that the Tor browser team does not enable the HTTPS Everywhere setting that always rewrites requests to https by default in their distribution, as this would have saved us from this situation altogether.